SB2019010407 - Multiple vulnerabilities in VIVOTEK Network Camera Series

Description

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2018-18244)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can execute arbitrary JavaScript code via an HTTP Referer Header.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2018-18005)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can execute arbitrary JavaScript via a URL query string parameter.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Security restrictions bypass (CVE-ID: CVE-2018-18004)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to improper access control in mod_inetd.cgi. A remote attacker can bypass security restrictions and enable arbitrary system services via a URL parameter.

Remediation

Install update from vendor's website.

References

• http://download.vivotek.com/downloadfile/support/cyber-security/vvtk-sa-2018-006-v1.pdf
• https://blog.securityevaluators.com/vivotek-ip-camera-vulnerabilities-discovered-and-exploited-2e2531ecd244